Quote:
Originally Posted by gpatrick
...but is there an example somewhere of how to use chroot and systrace to make it that way for a specific domain.
|
The modified version of Apache 1.3 available in OpenBSD can be run from within a
chroot(8):
http://openbsd.org/faq/faq10.html#httpdchroot
As for tightening down what syscalls are allowed, both Lucas
(author of Absolute OpenBSD) and Palmer & Nazario
(authors of Securing Architectures with OpenBSD) cover this in the following sets of articles:
Both sets of authors discuss iteratively constraining what syscalls are allowed by pouring over the output from:
# systrace -A /usr/sbin/inetd
The basic question you are asking is how can Apache be made to talk to
multiple chroot(8)'s. While I suspect the answer will be quite tedious in looking through
systrace -A output
(which is error-prone & requires constant maintenance...), I would be remiss if I didn't mention three important points:
This should indicate that acceptance/interest in
systrace(1) has waned. Even the information from Lucas and Palmer & Nazario is dated
(circa 2003-2004). You need to think twice before committing your business to rely on a technology that is no longer regarded as being secure.
Quote:
I understand how chroot works, but I am using Perl and MySQL for my sites and it is a little work to get that in chroot.
|
As I understand, Perl code can be written to jump out of a
chroot(8). This further supports the developers' sentiment that
systrace(1) creates a false sense of security.